Methods and systems providing cyber security

ABSTRACT

For cyber security, a computer with network access incorporates game theory and utilizes a honey net to enhance game-theoretic developments over active and passive sensors. To numerically solve the uniquely three-sided game modeled cyber security problem, a geometry method based on 3D action curves can be applied. The method can first determine whether the game problem has one Nash equilibrium, multiple Nash equilibriums, or no Nash equilibrium; can check the equilibrium is a mixed or pure Nash; can timely compute Nash equilibriums; and follows a fictitious play concept. The solution is adaptive and can be applied for any partially observed cyber security system.

STATEMENT OF GOVERNMENT INTEREST

This invention was made with Government support under Contract No.FAB9453-14-C-0016, awarded by the United States Air Force. The U.S.Government has certain rights in this invention.

FIELD OF THE INVENTION

The present invention relates generally to the field of networksecurity. More particularly, the present invention is related to methodsfor analysis of cyber network interactions among attackers, passivenetwork sensors, and active network sensors using three-sided games,where each side can have multiple participants sharing the same goal.The method provides network security based on the analysis.

BACKGROUND

Network attacks include one-to-one attacks, one-to-many attacks, andmany-to-one attacks. Existing network security methods suffer from highfalse positives, difficulty in detecting highly complex attacks, and theinability to adapt for detecting new types of attacks. Moreover,existing methods often perform attack identification in a passive mannerby using only available alerts instead of actively seeking andprioritizing the most useful alerts to mitigate. Another aspect that islacking with current methods is the inability to provide effectivemitigation of network threats, predicting future attacks, and resolvingmultiple simultaneous attacks. For current methods, the recommendationof mitigation is usually provided in an ad hoc and heuristic manner,often independent of the situation awareness (SA) process, the user, orthe importance of the network for operational considerations.

SUMMARY OF THE EMBODIMENTS

It is a feature of the present invention to provide network security inthe form of three-sided game-theoretic analysis of the cyber networkinteractions among attackers, passive network sensors, and activenetwork sensors. A honey net (e.g., including active network sensors)can act as a supportive side, which can be camouflaged in the network tohelp passive sensors detect and track cyber network attacks.

In accordance with an additional feature of the present invention, asystem is provided that includes a computer programmed for three-sidegame-theoretic analysis of cyber network interactions among attackers,passive network sensors, and active network sensors. A honey net acts asa support side, which can be camouflaged in the network to help passivenetwork sensors detect and track cyber network attacks, and whichgenerally originate from attacking servers. Game theory is relatively anew application for cyber research, and the use of a honey net providesa unique aspect of the work that enhances game-theoretic developmentsover passive network sensors and active network sensors.

It is yet another feature of the present invention to utilize a geometrymethod based on three-dimensional action curves to numerically solve theuniquely three-side game modeled cyber security problem. The numericalgame solution includes four features: first, it can quickly determinewhether the game problem has one Nash equilibrium, multiple Nashequilibriums, or no Nash equilibrium; second, it can efficiently checkif the equilibrium is a mixed or pure Nash; third, it can timely computethe (mixed) Nash equilibriums; and fourth, it also follows a FictitiousPlay Concept. These four features provide an adaptive solution and canbe applied in any partially observed cyber security system.

BRIEF DECRIPTION OF THE DRAWINGS

FIG. 1 illustrates a block diagram of a system in accordance withfeatures of the present invention;

FIG. 2 is a concept level block diagram of the three-side game enginefor cyber network security problems;

FIG. 3 depicts the system level flowchart of the three-side game modeland the geometric solutions;

FIG. 4 depicts an exemplary three-side game in a matrix format;

FIG. 5 is an exemplary action curve and surface intersection which haspurse active sensor strategy;

FIG. 6 depicts another exemplary action curve and surface intersectionwhich is a typical mixed Nash equilibrium;

FIG. 7 is a flowchart showing the block 33, “determine a cell and linesegment”, of FIG. 3.

FIG. 8 depicts an exemplary cell and line segment to be searched for theintersection of action surface (of attacker) and action curve(defender).

FIG. 9 is a flowchart showing the main process of “current set containsMNE?” route 71 in FIG. 7.

FIG. 10 is a flowchart showing the “is p insider a triangle (p1, p2,p3)?” route 93 in FIG. 9.

FIG. 11 depicts an exemplary cell and line segment containing theintersection of action surface (of attacker) and action curve(defender).

DETAILED DESCRIPTION OF EMBODIMENTS

The purpose of this invention is to develop three-side game theory basedinnovative situation awareness systems and methods for active networksecurity and impact mitigation of adversarial attacks against cybernetworks.

Referring to FIG. 1, there is shown an implementation of a cyber-networksecurity system according to the invention in a local network having thepassive and active network sensors deployed. The local network comprisesN production server 14 ₁ to 14 _(N). The network traffic can bemonitored by a Snort based passive network sensor (PNS) 12 a, which canbe controlled by the PNS engine 12 b. Some network requests can berouted to an active network sensor (ANS) 13 b, which can interact withremote users in a virtual way. The ANS can be deployed based on Honeypotand Address Resolution Protocol Daemon (ARPD). The interaction scriptsand strategies can be reconfigured via the ANS engine 13 b. The attacker10 can launch cyber-attacks to the local network via the Internet 11.The PNS engine and ANS engine can follow the mixed Nash equilibrium ofthe three-side game model shown in FIG. 2.

FIG. 2 shows the concept level framework of the three-side game engine.Attacker 2 may launch various cyber-attack weapons 21 a, which areinputs to the game model. Attacks will get rewards 21 b, which depend onthe game model parameters 23, PNS strategies 25 a, and ANS strategies 26a. Similarly, PNS 27 and ANS 28 can obtain their rewards 25 b and 26 brespectively. Their values are also partially determined by theattacker's choices. This reward dependence is the main modeling merit ofgame theory method: decisions should be made with the consideration ofthe opponents. To obtain the game solution of Mixed Nash equilibrium(MNE), the invention presents a geometric way 24 to determine andcalculate the intersection point of attacker's action surface anddefender's action curve. The action surface or action curve is set ofone side's best response actions for his opponents' possible choices. Inthe three cyber game model, the ANS and PNS are coordinated to defendattackers. Therefore, given a combined PNS and ANS choices (h_(k),s_(k)), the attacker will compute his best response r_(k). Since h_(k),s_(k) and r_(k) are all scalar values, the attacker's best response setis a surface, which is called an action surface. Similarly, for ANS andPNS, their combined best response is a curve, called an action curve.

FIG. 3 shows the system level flowchart of the invention. Block 30creates a three-side game model based on a scenario or problem. For thegeneral scenario in FIG. 1, the system states are defined as theprobability vector of N servers:

(p¹ _(1|1), p¹ _(1|0), p² _(1|1), p² _(1|0), . . . p^(N) _(1|1), p^(N)_(1|0))   (1)

where p^(i) _(1|1) is the detection rate (DR), which is the probabilitythat server i is flagged as attacked when it is actually attacked, p^(i)_(1|0) is the false positive rate (FPR), which is the probability thatserver i is flagged as attacked when it is actually NOT attacked.

Given the system state vector p=(p¹ _(1|1), p¹ _(1|0), p² _(1|1), p²_(1|0), . . . )′, the reward functions for the attacker and defender aredefined as

J _(d)(p)=Σ_(i=1:N)(c ^(i1)p^(i) _(1|1) −c ^(i2) p ^(i) _(0|1) −c ^(i3)p ^(i) _(1|0))   (2)

J _(a)(p)=Σ_(i=1:N)(v ^(i1) p ^(i) _(s) −v ^(i2) p ^(i) _(f))   (3)

where c^(i1), c^(i2), c^(i3) are the positive constants for server i;p^(i) _(0|1)=1−p^(i) _(1|1) is the miss detection probability; v^(i1),v^(i2) are the value of server i and the cost of attacking server i;p^(i) _(s) is the probability of successfully penetrate server i. Themodel includes p^(i) _(s)=p^(i) _(0|1)p_(a)(j), where p_(a) (j) is thesuccess rate of the selected attack (j). p^(i) _(f) is the probabilitythat an attack on server i is failed and p^(i) _(f)=p^(i) _(1|1)+p^(i)_(0|1)(1−p_(a)(j)). The three-side interaction is modeled as a matrixgame. FIG. 4 depicts an exemplary three-side game in a matrix format.The game size (shown by 40) is determined by the possible strategies ofthe three sides. After all sides choose their strategies, a special 3Daction curve or cube can be picked. For example, if attacker chooses r₃,ANS chooses h₃, and PNS chooses s₃, then cube 41 is picked. Square 43 isthe coordinated strategy of PNS and ANS. Square 42 tells the chosenattacker strategy. In the cube 41, there are two values obtained fromequation (2) and (3), respectively.

The game in FIG. 4 is played by three sides in such a way that attackerchooses his strategy to maximize the J_(a) (eq. 3) in the picked cube(for example cube 41 in FIG. 4), while PNS and ANS choose theircoordinated strategies to maximize the J_(d) (eq. 2) in the same cube,which depends on both attacker's and PNS/ANS combined choices.

To solve the three-sided game problem, this invention presents ageometric game solution to compute MNEs. The action curve (surface)based solution is depicted in block 31-34 of FIG. 3. Block 31 computesthe action curve of PNS and ANS. For all possible attacker strategies,eq. (2) is maximized by choosing the coordinated PNS and ANS strategies.By connecting all these best responses of coordinated strategies, alongwith the chosen attacker strategies, block 31 obtains the defenderaction curve.

Block 32 computes the action surface of attacker. For any possiblecoordinated PNS and ANS strategies, eq. (3) is maximized by choosing theattacker strategy. Then block 32 connects these best responses ofattacking strategies, along with the chosen coordinated defenderstrategies, to obtain the attacker action surface.

For the three-side game, an intersection of action curve and surface isa Nash strategy. If the intersection located exactly on these bestresponse points, then the Nash strategy is a pure Nash equilibrium(PNE). Otherwise it is a mixed Nash equilibrium (MNE). PNE can be seemeda special case of MNE, so in this invention, MNEs can be used to solvethe three-side game engine. Another advantage of MNE is that at leastone MNE always exists for the three-side game model for cyber networksecurity.

FIG. 5 is an exemplary action curve and surface intersection which has apure active sensor strategy. 51 ₀₀ is the point at attacker actionsurface when ANS and PNS choose the coordinated strategy (0, 0). 51_(a2) is the point at attacker action surface when ANS and PNS choosethe coordinated strategy (10, 2). 50 ₇ is the point at the defenderaction curve when attacker takes no. 7 strategy. 50 ₅ is the point atthe defender action curve when attacker takes no. 5 strategy. 52 _(a)and 52 ₅ are the contour lines of the attacker action surface when theattacking rate is 50% and 100% of the maximum attacking speed. From theplot in FIG. 5, it is obvious that PNS will play his No. 10 strategy andthe intersection occurs between 50 ₄ and 50 ₅ at the action curve.

FIG. 6 depicts another exemplary action curve and action surfaceintersection which is a typical mixed Nash equilibrium. From the plot inFIG. 6, it is difficult to find location of the intersection. Therefore,the invention presents a geometric way (FIG. 7) to find cells in actionsurface and the related line segments in action curve so that theycontains the intersection points.

FIG. 7 is a flowchart showing the “determine a cell and line segment”block 33 in the process of FIG. 3. Block 70 is to initialize thesearching by setting the sizes of the attacker action set, the PNSaction set, and the ANS action set. It also set the initial position ofthe searching. Block 71 is to test whether current action surface celland action curve segment contain the intersection. The details of thisblock are described in FIG. 8. Block 72 saves the current decision setif it contains the intersection. Otherwise, the process will search nextset (surface cell and curve segment). This decision can be decomposed inBlock 73-77. After all sets are searched, the process will exit (Block78) with saved sets containing the intersection points, which are MNEs.The invention will further calculate the MNEs in Block 34 of FIG. 3.

FIG. 8 depicts an exemplary cell and line segment to be searched for theintersection of action surface (of attacker) and action curve(defender). 80 ₁-80 ₄ determine the action surface cell projected to ANSand PNS strategy space (like 43 in FIG. 4). 81 ₁ and 81 ₂ define theaction curve segment, where r1 and r2 are the consecutive attackerstrategies. Since all 6 points are on the action surface or actioncurve, the locations in 3-D spaces can be determined. This problem, ofwhether the set contains an intersection point, can be solved via thefollowing way:

-   -   if r₁r₂ go through Δ123, true, exit;    -   else if r₁r₂ go through Δ124, true, exit;    -   else if r₁r₂ go through Δ134, true, exit;    -   else if r₁r₂ go through Δ234, true, else false;        where Δ123 is the triangle determined by points 80 ₁, 80 ₂, and        80 ₃. Similar notes for Δ124, Δ134, and Δ234. The geometric way        to test whether a line segment go through a triangle is        presented in FIG. 9.

FIG. 9 is a flow chart of testing whether a line segment goes through atriangle. This part is the main process of “current set contains MNE?”route 71 in FIG. 7. Block 90 specifies the input and output structure.The inputs are the three points of the triangle and the line segment.The output is yes or no. Block 91 calculates the intersection point ofthe plane, which contains the triangle, and the line, which contains theline segment. The detail algorithm is listed as follows:

n=cross((p2−p1), (p3−p1)); % calculate the normal vector

if (n′*(pt−ps)==0), return false; % no intersection

r=n′*(p1−ps)/(n′*(pt−ps)); % calculate the ratio on the normal vector

p=ps+r*(pt−ps); % calculate the intersection point based on the ratio

Note that the intersection may not be located in the triangle or in theline segment even if the intersection point exists. Therefore, blocks92-95 are used here to further test whether the intersection point is inthe triangle AND in the line segment. Block 92 is clear while block 93needs to be expanded and explained in FIG. 10.

FIG. 10 is a flow chart showing the “is p insider a triangle (p1, p2,p3)?” route 93 in FIG. 9. Block 100 is to specify the input structure,which contains the three points of the triangle and a point to betested. Given that the p and triangle are in the same plane (since p isthe intersection point, p is in the plane contains the triangle), thegeometric test method is based on the following observation. A point pis in the triangle (p_(l),p₂,p₃), if and only if

p and p₁ on the same side of the line through p₂ and p₃, AND

p and p₂ on the same side of the line through p₁ and p₃, AND

p and p₃ on the same side of the line through p₁ and p₂.

The invention uses the following geometric algorithm to test where twopoints (p1, and p) on the same side of a line (p2, p3):

cp1=cross(p2−p3, p−p3); % calculate the cross product

cp2=cross(p2−p3, p1−p3); % calculate the cross product

IF cp1′*cp2>=0, same side, ELSE different side.

Blocks 101-106 depict the whole test processing of whether p insider atriangle (p1, p2, p3).

The next step (block 34 of FIG. 3) is to compute the MNE for a givenaction surface cell and action curve segment, which contains theintersection point. FIG. 11 depicts an exemplary cell and line segmentcontaining the intersection of action surface (of attacker) and actioncurve (defender). Points 110 ₁-110 ₄ define the cell and point 111 isthe intersection point. The exact position (in three dimensions: PNS s*,ANS h*, and Attacker r*, see FIG. 4 for visual illustration) of 111 canbe formulated as

S*=λ ₁ s ₁+λ₂ s ₂+λ₃ s ₃+(1−λ₁−λ₂−λ₃)s ₄   (4)

h*=λ ₁ h ₁ +λ ₂ h ₂+λ₃ h ₃+(1−λ₁−λ₂−λ₃)h ₄   (5)

r*=κ ₁ r ₁+(1−κ₁)r ₂   (6)

where 0≦λ_(i)≦1, 0≦(λ₁+λ₂+λ₃)≦1, and 0≦κ₁≦1. r₁ and r₂ are the attackingstrategies of the two end points of active curve segment. Then therewards, J, are

J* _(d) =J _(d) (s*, h*, r*)=f _(d)(λ₁, λ₂, λ₃, κ₁)   (7)

J* _(a) =J _(a) (s*, h*, r*)=f _(a)(λ₁, λ₂, λ₃, κ₁)   (8)

Since (s*, h*, r*) is a mixed Nash equilibrium, the following equationsapply:

∂f _(d)/∂λ₁=0   (9)

∂f _(d)/∂λ₂=0   (10)

∂f _(d)/∂λ₃=0   (11)

∂f _(a)/∂κ₁=0   (12)

where λ₁, λ₂, λ₃, and κ₁ can be obtained by solving the equations(9-12). Then the MNE can be computed by eq. 4-6.

Block 35 of FIG. 3 is implemented the obtain MNE. For the defender side,the PNS will play s₁ strategy with probability λ₁, s₂ strategy withprobability λ₂, s₃ strategy with probability λ₃, and s4 strategy withprobability 1−λ₁−λ₂−λ₃. The ANS will play h₁ strategy with probabilityλ₁, h₂ strategy with probability λ₂, h₃ strategy with probability λ₃,and h4 strategy with probability 1−λ₁−λ₂−λ₃. Similarly, for the attackerside, the attacker will play the r₁ strategy with probability κ₁, andthe r₂ strategy with probability 1−κ₁. To implement the MNE, twouniformly distributed random variables over [0, 1], X_(d) for defenderand X_(a) for attacker, will be created. Each time, the random valueswill be used to determine which pure strategy to use. If X_(d)∈[0, λ₁],then PNS takes s₁ and ANS take h₁. If X_(d)∈(λ₁, λ₁+λ₂], PNS takes s₂and ANS take h₂. If X_(d)∈(λ₁+λ₂, λ₁+λ₂+λ₃], PNS takes s₃ and ANS takeh₃. If X_(d)∈(λ₁+λ₂+λ₃, 1], PNS takes s₄ and ANS take h₄. Similar, ifX_(a)∈[0, κ₁], the attacker will apply the r₁ strategy. If X_(a)∈[κ₁,1], the attacker will apply the r₂ strategy.

Block 36 and 37 of FIG. 3 are designed to let system update the statesdefined in eq. (1). Then the game can be updated with the new systemstates. Accordingly, the three-sided game solution can be calculatedusing the geometric method of the present invention, which provides aclosed loop control paradigm.

For cyber applications, game theory is a relatively new concept and theuse of a honey net is a unique aspect of the work that enhancesgame-theoretic developments over active and passive sensors. Tonumerically solve the uniquely three-side game modeled cyber securityproblem, a geometry method based on action surface and action curve isdeveloped. To summarize, the present numerical game solution has fourfeatures: first, it can quickly determine whether the game problem hasone Nash equilibrium, multiple Nash equilibriums, or no Nashequilibrium; second, it can efficiently check the equilibrium is a mixedor pure Nash; third, it can timely compute the (mixed) Nashequilibriums; and fourth, it also follows a Fictitious play concept,from which the solution is an adaptive one and can be applied for anypartially observed cyber security system.

1. A cyber security system, comprising: a computer with data networkaccess and programmed for three-sided game-theoretic analysis of cybernetwork interactions among attackers, passive network sensors, andactive network sensors; a honey net acting as an active side andcamouflaged in the data network to help network sensors detect and trackcyber network attacks; and at least one network sensor monitoringnetwork traffic and interacting with the honey net.
 2. The cybersecurity system of claim 1, wherein said at least one network sensor isa passive network sensor.
 3. The cyber security system of claim 1,wherein said at least one network sensor is an active network sensor. 4.The cyber security system of claim 1, wherein said three-sidegame-theoretic analysis of cyber network interactions utilizes 3D actioncurves to analyze and numerically solve three-side game modeled cybersecurity problems.
 5. The cyber security system of claim 4, wherein thethree-sided game-theoretic analysis is of cyber network interactionsamong attackers, passive network sensors, and active network sensors. 6.A method for providing cyber security, comprising: providing at leastone computer with data network access and programmed for three-sidegame-theoretic analysis of cyber network interactions among attackers,passive network sensors, and active network sensors; and providing ahoney net acting as an active side and camouflaged in the data networkto collaborate with network sensors and detect and track cyber networkattacks; and providing at least one of a passive network sensor andactive network sensor monitoring network traffic and interacting withthe honey net.
 7. The method for providing cyber security of claim 6,wherein the three-side game-theoretic analysis of cyber networkinteractions utilizes 3D action curves to numerically analyze and solvethree-side game modeled cyber security problems.
 8. The method forproviding cyber security of claim 6, wherein the three-sidedgame-theoretic analysis is of cyber network interactions amongattackers, passive network sensors, and active network sensors.
 9. Themethod for providing cyber security of claim 7, wherein the three-sidedgame-theoretic analysis is of cyber network interactions amongattackers, passive network sensors, and active network sensors.
 10. Themethod for providing cyber security of claim 6, wherein the honey netand sensors function as a support side of a three-side game and iscamouflaged in the network to assist sensors in detecting and trackingcyber network attacks.
 11. The method for providing cyber security ofclaim 9, wherein the three-sided game theoretic analysis determines:whether the game problem has one Nash equilibrium, multiple Nashequilibriums, or no Nash equilibrium; determines if the equilibrium is amixed or pure Nash; and computes mixed Nash equilibriums.
 12. A cybersecurity system, comprising: at least one computer having data networkaccess and programmed for three-sided game-theoretic analysis of cybernetwork interactions among attackers, passive network sensors, andactive network sensors, wherein the three-side game-theoretic analysisof cyber network interactions utilizes 3D action curves to analyze andnumerically solve three-side game modeled cyber security problems; ahoney net acting as an active side and camouflaged in the data networkto help network sensors detect and track cyber network attacks; atcombination of active and passive network sensors monitoring networktraffic and interacting with the honey net.
 13. The cyber securitysystem of claim 12, wherein the honey net and sensors function as asupportive side of a three-side game and is camouflaged in the networkto assist sensors in detecting and tracking cyber network attacks. 14.The method for providing cyber security of claim 12, wherein thethree-sided game theoretic analysis determines: whether the game problemhas one Nash equilibrium, multiple Nash equilibriums, or no Nashequilibrium; determines if the equilibrium is a mixed or pure Nash; andcomputes mixed Nash equilibriums.